College Student Expelled After Finding Software Flaw Gets Job Offers

Below:

Next story in Tech and gadgets

A Montreal college student was expelled after alerting school
officials to "sloppy coding" that exposed the personal
information of more than 250,000 students.

But in a strange twist, half a dozen companies have offered him a
job — including the software company whose product he criticized
and which threatened to call police on him.

In November, Hamed Al-Khabaz, a student at Dawson College, and a
friend discovered it was easy to access the
financial and personal information of students enrolled into
the Quebec community-college system.

That information, entered into the Omnivox course-enrollment
system used by many provincial colleges and universities,
included Social
Insurance Numbers (akin to U.S. Social Security numbers) and
tuition and payment details.

Blowing the whistle

"I felt I had a moral duty to bring it to the attention of the
college," Al-Khabaz, 20, told Canada's National Post. "I could have
easily hidden my identity behind a proxy. I chose not to
because I didn't think I was doing anything wrong."

School officials agreed he hadn't. Al-Khabaz said they
congratulated him and promised to fix the flaw.

But two days later, Al-Khabaz decided to check the fix for
himself by running a program for testing website vulnerabilities
against Omnivox.

He quickly got a phone call from Edouard Taza, president of
Skytech, the company that runs Omnivox and hosts each school's
enrollment systems on its own servers. Taza accused Al-Khabaz of
mounting a cyberattack.

"He told me that I could go to jail for six to 12 months for what
I had just done, and if I didn't agree to meet with him and sign
a non-disclosure agreement, he was going to call the RCMP [Royal
Canadian Mounted Police] and have me arrested," Al-Khabaz said.

Taza told the Post Al-Khabaz "should have known better than to
use [the website-testing software] without permission."

"He simply made a mistake," Taza said.

Kicked out, and turnabout

That mistake got Al-Khabaz expelled from Dawson for what the
school called a "serious professional conduct issue."

A website has been created soliciting signatures for an online petition in support of
Al-Khabaz's reinstatement. As of this morning (Jan. 22) it had
been signed more than 7,000 times.

"The story that has been reported by many media today ... was
relying on an incomplete version of what had happened," Dawson
College Director General Richard Filion told CBC Radio. "The
other side of the story is related to facts that we cannot
divulge."

The college's student union, which is trying to get Al-Khabaz
reinstated, told the National Post in a follow-up story that he'd received several
job offers.

One potential employer told the National Post that it was
"disgraceful that a very skilled student ... would be
expelled and punished for the rest of his life for trying to help
protect his fellow students."

One offer came from Skytech itself. The company also offered
Al-Khabaz a scholarship so he could finish his studies at a
private college.

"At this point, it appears Dawson has no intention of letting me
back in," Al-Khabaz told the National Post. "I may have to look
at all the other offers I have received and pick the best one."